The reality about PCI version 3.1? It primarily boils down to removing one cryptography example three times from the published standard. But that small step indeed signals a giant leap forward in payment card security.

The new guidance removes the Secure Socket Layer encryption protocol, and early versions of Transport Layer Security, as examples of strong cryptography, and calls for use of a current, secure version of TLS.

It's unusual for the PCI Council to issue a mid-year update, but this one is critical, Leach says.

"We recognize that since the last time we published our standard in November of 2013, NIST and other subject matter experts have come out and said that the [SSL] protocol itself has been deprecated," Leach says. "So, we recognized that there was a need to move away from that example."

The PCI Council is giving covered entities until June of 2016 to complete the migration, and Leach encourages these organizations to start their risk assessment process now.

"We're asking the community to have the due diligence to do proper risk management of the situation, make an assessment of whether they are at risk, and then make their strategy progressive, so that they identify the top risks first, eliminate those, and then move forward," Leach says.

In his role as CTO and lead security standards architect for the PCI Council, Leach has developed and implemented a comprehensive quality assurance program. Before joining the council, he led the incident response program at American Express, where he reviewed more than 300 cases of account data compromises. Over the past 18 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics.

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.